CVE-2023-46648 Vulnerability Details

  /     /     /  

CVE-2023-46648 Metadata Quick Info

CVE Published: 21/12/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: GitHub_P | Vendor: GitHub | Product: Enterprise Server
Status : PUBLISHED

---

CVE-2023-46648 Description

An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.

Metrics

CVSS Version: 3.1 | Base Score: 8.3 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-331
CWE Name: CWE-331 Insufficient Entropy
Source: GitHub

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-112
CAPEC Description: CAPEC-112 Brute Force


Source: NVD (National Vulnerability Database).